Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIx nat/global config

Does the below config allow (just from a NAT perspective)hosts on the 10.1.1.0 subnet to access servers on the 192.168.1.0 subnet?

It this NATing the FTP interface to the 10.1.1.10 address?

if so, would this over rule any access-list that was applied inbound to the FTP interface preventing anything from the 10.1.1.0 subnet?

global (ftp) 1 10.1.1.10

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

ip address inside 10.1.1.1 255.255.255.0

ip address ftp 192.168.1.1 255.255.255.0

2 REPLIES
New Member

Re: PIx nat/global config

No, your global command should have an address in the 192.168.1.0 subnet. (It could have another address, if the next-hop router had a route to the address pointing towards the "ftp" interface address, but we won't confuse things here). You could use the interface address itself for PAT.

You can't NAT an interface address.

Access lists always take precedence.

New Member

Re: PIx nat/global config

This are the actual configuration components below. The actual Interface is 192.168.204.1, but the global is 10.1.40.249.

If the interface already has an ip address,

What is the 10.1.40.249?

ip address inside 10.1.73.1 255.255.255.0

ip address ftp 192.168.204.1 255.255.255.0

global (outside) 1 interface

global (inside) 3 172.32.255.254

global (ftp) 1 10.1.40.249

nat (outside) 0 access-list nonatoutside outside

nat (outside) 3 access-list pefcu outside 0 0

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

110
Views
5
Helpful
2
Replies